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It is shown that the effect of transmission loss has often not been properly taken into account in 
the security proofs on quantum key distribution. A class of general attacks to be called probabilistic 
re-sends attack is described that has not been accounted for, which is a generalization of the well- 
known unique state determination attack. In the case of the four-state single-photon BB84 protocol, 
it is shown in detail how such attacks are not accounted for in the known security proofs against 
the simplest individual attacks. 



I. INTRODUCTION 



Real optical systems have significant loss from the 
transmitted signal to the detected signal. If the trans- 
mission loss is small one can treat the deleted bits as 
random errors and deal with them by an error correcting 
code. Security claim, however, has often been made with 
arbitray loss taken into account just on the throughput 
via post-detection selection of the detected bits. That it 
is clearly not a valid inference could be seen from the sit- 
uation of the two-state B92, for which security is totally 
breached in an intercept-resend attack when the loss is 
above a certain threshold determined by the two signal 
states [1]. Such attack can be generalized to any BB84 
type protocols involving any number of coherent states, 
which are necessarily linearly independent and hence al- 
lows such "zero error" attack in the presence of suffi- 
cient loss [2]. These general attacks have been called 
unique state determination (USD) attacks, and they are 
identical to attacks with probabilistic exact cloning [3]. 
For the four-state BB84, the optimal individual attack 
is the same as an approximate cloning attack. Prob- 
abilistic approximate cloning may, however, sometimes 
lead to better performance than approximate cloning it- 
self [4]. Thus, the attacker Eve could launch attacks by 
probabilistic approximate cloning, and not just on single 
qubits (or the boson modes they embed in to be called 
"qumodes") but segments of qubits with entanglement 
or perhaps the whole key sequence. In this paper, such 
attack is further generalized to what will be called prob- 
abilistic re-send (PRS) attack, which has not been ac- 
counted for in the security proofs of lossy system thus 
far. In the case of individual attacks on the four- and 
six-state BB84 protocol with transmission loss, a general 
attack formulation is possible that include all attacks. It 
will be shown in the four-state case that there are in- 
deed attacks lying outside the ones treated without loss 
or with loss and just throughput reduction. 
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II. INCOMPLETENESS OF MERE 
POST-DETECTION SELECTION 



The argument is often made that all the losses in the 
cryptosystem could just be lumped together by a loss pa- 
rameter which affects the rate of final key bits that can 
be generated but not the key security. In [5, p. 336] it is 
stated explicitly that "Detector inefficiencies and other 
types of losses can be incorporated into the Shor-Preskill 
security analysis easily enough. Through public discus- 
sion, Alice and Bob can eliminate from their sifted key 
all signals for which Bob failed to record a measurement 
result". In [6] only detector loss is represented with no 
transmission loss, presumably for the same reason since 
the results are applied to the NEC cryptosystem [7,8] to 
operate with significant transmission loss. Although the 
four BB84 states are not linearly independent so that 
USD attack does not apply directly, a proof is needed to 
show why Eve cannot take advantage of the transmission 
loss and do better. In general, the following PRS attack 
needs to be fully accounted for. 

Transmission loss and detector loss are very different. 
Assuming as we do that Bob's detector loss cannot be 
controlled by Eve, detector loss would delete the incom- 
ing qubits randomly independently of what Eve has done 
to them. On the other hand, for transmission loss Eve 
could intercept and then resend only those she chooses. 
She may or may not have the ability to replace the lossy 
transmission line with a lossless one. In [1-2] it was as- 
sumed she does have the capability which makes it easy 
to see what she may do to her advantage. Even if she 
does not, her attack capability is still enlarged as we will 
show mathematically in the case of individual attacks in 
Appendix A. When she has the loss replacement capa- 
bility which is usually granted, we see that transmission 
loss becomes very different from detector loss since each 
of the incoming signal before detection has now been se- 
lected by Eve, which may raise her performance by an 
amount that has to be determined as a function of the 
transmission loss parameter 1 — 77, where rj is the trans- 
mittance of the line. 
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FIG. 1: Schematic way to eliminate or reduce the effect of 
loss by user: loss is alleviated or eliminated with favorable 
pre-detection outcome. 



ways. The class of PRS attack evidently includes prob- 
abilistic approximate cloning. Note that this possibility 
of bit deletion from transmission loss violates the usual 
information-disturbance tradeoff that underlines QKD 
security of the BB84 and Ekert types which need to em- 
ploy intrusion level estimation, in that information can be 
gained by Eve without causing any relevant disturbance. 

While PRS attacks can be covered in a sufficiently 
general formulation on Eve's probe formation, it is not 
automatically covered by mere post-detection selection 
as explained above, and also not by the use of squash- 
ing [11,12] or heralded qubit amplifier [10]. Specifically, 
squashing or QND measurement could reduce an infinite 
dimensional qumode to three levels, qubit plus vacuum 
state. Post-detection selection gets rid of the vacuum 
state. Heralded qubit amplifier is a pre-detection scheme 
of Fig. 1 that acts for entangled pairs what QND mea- 
surement does for single photons. The question remains 
that transmission loss may have already allowed Eve's to 
use PRS attack of Fig. 2 that gives her better or much 
better performance than a security analysis which ne- 
glects such attacks would show. Even when line replace- 
ment is not possible for Eve to make up the loss from her 
bit deletion, she could use PRS attacks on some fraction 
of the qubits allowed by the loss, which are not accounted 
for by mere post-detection selection. In fact, there are 
more attack possibilities even if line replacement is not 
allowed, as shown in Appendix A. 
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FIG. 2: Schematic way to take advantage of loss by attacker: 
a more favorable input state pf from Eve's viewpoint is sought 
with possible quantum signal detection (PRS attack). 



IV. CONCLUSION 

Significant loss cannot be avoided in optical signal 
transmissions. Thus, any practical application of QKD 
must deal with the loss induced security issues. A small 
amount is already known [13] to cause huge security prob- 
lem when the photon detection mechanism is exploited 
in the detector " blinding attacks" . In this paper we have 
shown a whole class of PRS attacks have not been ac- 
counted for in existing security analysis, not even for 
individual attacks when Eve cannot replace the trans- 
mission loss. Until all attacks allowed by the laws of 
quantum physics are taken into account, a security proof 
cannot be said to provide "unconditional security" even 
if the analysis is entirely valid. 



III. PROBABILISTIC RE-SEND (PRS) ATTACK 

Generally, the users may try to combat loss by pre- 
detection as indicated in Fig. 1, with success probabil- 
ity itself limited by r\. Examples include quantum non- 
demolition (QND) measurement (but see [9] on the in- 
appropriate terminology) and herald qubit amplifier [10]. 
Eve has a similar attack approach, the probabilistic re- 
send attack as indicated in Fig. 2. Sufficient loss would 
allow her to cover the deleted bits in various possible 
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Appendix A: Identical individual attacks (IIA) on 
lossy single-photon BB84 

This appendix is derrived from a 2008 internal memo 
by R. Nair and H.P. Yuen. 
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We now demonstrate that even without replacing the 
lossy line by a lossless one, Eve may launch attacks not 
covered by a lossless analysis with post-detection selec- 
tion adjustment. 

We make the following assumptions: 

1. Alice's state source is perfect and prepares one of 
the four BB84 states |0), |1), |+) = ^=(|0) + |1)), 

or |— ) = ^7j(|0) — 11)) in the two-dimensional signal 
space Ha in the case of the 4-state protocol. In the 
case of the 6-state 'BB84' protocol, the two states 
\L) = ^(|0>+i|l» and \R) = ^(|0>-i|l» are ad- 
ditionally prepared. Note that, in this memo, Ha 
is simply an abstract two-dimensional Hilbert space 

- the possibility of various implementations of this 
space is left open. The most common one is that 
of embedding Ha in "%h or j z ® ^vert as the single- 
photon subspace, with |0) £ Ha corresponding to 
l 1 )horizl°)vert and |1) to |0) horjz |l) vert . 'Hhoriz and 
"Hyert arc the respectively the infinite-dimensional 
Fock spaces representing the horizontal and vertical 
polarization modes of a field mode. 

2. The received state of Bob (even in the presence 
of Eve) is assumed to lie in a three-dimensional 
Hilbert space H B = H A © span{|0)}. Here |0) rep- 
resents the 'no-count' state and is orthogonal to Ha 

- it is the vacuum state in the polarization imple- 
mentation described above. In the absence of Eve, 
the transmission medium between Alice and Bob is 
represented by the following loss map: 

p^VP+ (1 — T7)|0> (0|, (1) 

where p G Ha and the output state is in Hb- In 
other words, we assume (in the absence of Eve) 
a loss channel with state-independent throughput 
(i.e., transmittancc) rj. It may easily be verified 
that such a loss channel results in the polarization 
implementation when the horizontal and vertical 
polarizations are subjected to independent linear 
loss of magnitude 1 — r\. 

3. Eve launches an identical individual attack (IIA). 
In other words, her action can be represented by a 
probe system He in some initial state \E) and the 
application of an isometry (i.e., inner-product pre- 
serving transformation) T : Ha ^He^Hb^He 
on the signal + probe. This action is repeated with 
identically prepared probes on each of the transmit- 
ted signals. 

4. For each of the signal states (V'm), Eve's attack re- 
sults in an effective p out € Hb- We assume that 
the throughput r\^, in := 1 — (0|p otl t|0) = r/. In other 
words, Eve's action results in the same through- 
put for each of the four/six signal states of the 4- 
state/6-state protocol as would be seen if Eve was 
absent. We do not make any assumption on the 
throughput of the non-signal states. 



5. Bob's detectors are perfect - he is assumed to be 
able to make without error and with unit success 
probability the ideal measurement projecting onto 
|0) and any one of the two/three orthogonal bases 
in the 4-state/6-state protocol. 

Our assumptions above are conservative in the sense 
that limiting Eve to IIA's is a restriction on her capabil- 
ity. The equal signal throughput condition 4 above is also 
conservative since the BB84 protocol does not explicitly 
include a check for uniformity of throughput across the 
signal states. Even if it did, such a check would be hard 
to implement. In practice, for single photon transmission 
through optical fibers, the throughput of the signal states 
may vary with time and may be polarization-dependent 
even in the absence of Eve. Thus, we are indeed limit- 
ing our study to a small class of attacks. On the other 
hand, PRS attacks are included in the formulation when 
lossless line replacement is not allowed. Unearthing new 
attacks in this conservative scenario would suggest the 
possibility of hitherto unstudied attacks under more gen- 
eral conditions. 



A.l Characterization of Attack Isometry T 

A general isometry T : Ha ® He — > Hb ® He is spec- 
ified (at least on inputs where He is in the state \E)) by 
the right hand sides of the two equations: 

T\Q) a \E)e= £ \i) B \$) E , (2) 

i=O,l,0 

and 

T\1) a \E)e= £ \i)b\4>\)e. (3) 

i=O,l,0 

The kets of the He system are not normalized. The 
condition that T be an isometry results in the following 
conditions on the states \4>\)e'- 

]T ||^|| 2 =l 6 = 0,1, (4) 

i=O,l,0 

and 

j=O,l,0 

The restriction imposed by our Assumption 4 is more 
interesting. By using the linearity of T and the fact that 
the loss (loss := 1 - throughput) 1 — -q^ of an input state 
\iP)a is given by the squared-norm of the state in He 
multiplying |0)s in T\^)a\E)e, one gets the following 
general expression for the loss seen by any state \^)a = 
a\Q) A + b\l) A - 

= M 2 II 4 II 2 +\b\ 2 II 4>l II 2 +2Re[a6<$|tfS>]. (6) 
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Let us impose Assumption 4 for the 4-state BB84 proto- 
col. Using the condition that rj = 771 = 77 implies 
that 



*8 n 2 = 



bl \\ 2 =l-V- 



(7) 



The restrictions that 77+ = ?7_ — r\ are both satisfied if 
and only if 



Re(^|^) = 0. 



(8) 



Interestingly, this condition actually implies that 77,/, — 77 
for all \iP)a = o,\0)a + b\l)A with a,i e 1, i.e., for all 
states on the great circle of the Bloch sphere containing 
the 4 BB84 states. In the case of the 6-state protocol, 
we have the additional restrictions tjl = rjn = rj. In this 
case, we can show from ([6]) that we must have 



0. 



(9) 



Adding this last condition to the rest in fact implies that 
V-ip = V f° r an IV*) A S Ha* To summarize, the conditions 
(4), (5), (7), (8) must hold for both 4-state and 6-state 
BB84 and (9) holds for 6-state BB84. 



and 



P a T\1) a \E)e 



i=0,l 



10!) 



(11) 



We may re-normalize to norm 1 these states by dividing 
by the throughput y/rj. If we define hatted (post-selected) 



the hatted states from (4-5): 



states \4>\)e = w ^ ; we get the following conditions on 



lb 1 1 2 



and 



»=o,i 



i=0,l 



1 



0,1, 



(12) 



(13) 



For the 4-state BB84 protocol, the RHS of Eq. (J13J) is 
a pure imaginary number because of (18]): 



(14) 



A. 2 Filtering of No-Count Events 

The isometry T studied above contains more informa- 
tion than is necessary for a security analysis. Apart from 
unitary freedoms in Eve's actions and in choice of the 
initial probe state, we have not yet considered the fol- 
lowing filtering operation that Bob performs: When Bob 
measures a particular signal system Hb in the state |0), 
that system cannot be used for generating key and is dis- 
carded. Thus, we imagine a two- valued projection mea- 
surement by Bob consisting of the projection onto |0) 
and the projection Pa onto Ha- In practice, Bob makes 
a single three- valued measurement, but we may concep- 
tually divide this into the step of making the above two- 
valued measurement followed by measurement of one of 
the BB84 bases. Since the protocol proceeds only on the 
cases where Bob obtains a result in Ha, we write the 
post-selected output states corresponding to inputs |0)a 
and \\) A - 

PaT\0)a\E) e ^Y.\ 1 )b\^)e, (10) 

i=0,l 



with lei 

For the 6-state protocol, on the other hand, (4^\4>\) = 
0. It is then readily verified that the Eqs. (12) and (13) 
are identical to the conditions that would result from Eve 
applying an attack isometry S : Ha ® He — > Ha ®He, 
which corresponds to an attack on the lossless case (this 
may also be seen to result from Eqs. (2) and (3) by setting 
the throughput 77 identically to 1). 

The equations (10) and (11) along with conditions (12) 
and (13) are the starting point for the security analysis in- 
volving, for example, the calculation of the information- 
disturbance tradeoff between Eve's information and the 
induced error rate [14]. From the above, we may con- 
clude that under our assumptions, a fresh calculation of 
this tradeoff is not necessary for the 6-state protocol as 
it would yield exactly the same results. For the 4-state 
protocol, on the other hand, the possibility of Eve induc- 
ing a non-zero RHS in Eq. (13) opens up a new class of 
identical individual attacks that have not been included 
in the security analysis to date and provide an urgent 
problem for the security of the protocol. 
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